HTTP protocol has become a popular channel for malware to either communicate with malicious servers (e.g., Command & Control (C&C), Drive-by-Download, and drop-zone) or attack other benign servers. Through sending HTTP requests, malware can easily disguise itself under a large mount of benign HTTP traffics. Thus, finding those malicious HTTP activities is an error-prone process. Most of existing work detects those malware activities by analyzing the reputation of each domain that malware connected to in isolation.